@vapier - looks like this was caused by https://chromium-review.googlesource.com/#/c/395730/

Think it just needs re-baselining.

10/17 21:18:14.971 ERROR|security_Sandboxed:0280| New services are not allowed to run as root, but these are: ['rialto_update_r', 'rialto_modem_wa', 'pppd', 'update_engine_c', 'rialto_timezone']
10/17 21:18:14.978 ERROR|security_Sandboxed:0284| Failed sandboxing: ['rialto_update_r', 'rialto_modem_wa', 'pppd', 'update_engine_c', 'rialto_timezone']


Currently these are expected to be running as root on rialto. 

- pppd could be running any device with modem

- rialto_modem_wa could conceivably be reworked to not run as root.

- rialto_update_r and rialto_timezone may eventually be removed (post go/rialto-kiosk-migration)

- update_engine_c is sub-command called by rialto_update_r script that happened to be running when the test run. (seems this test could be racy / flaky?)

i think it's better that the people owning rialto add baselines to match their board.  you can just create a file here to match the services:
  client/site_tests/security_SandboxedServices/baseline.rialto

What is the format of that file?

And does the first column use the process full name, or truncated name per the error log? (rialto_update_reboot vs rialto_update_r)

if you look at the 'baseline' file, it'll show the format

you have to use the truncated name as shown in the logging error output:
10/17 21:18:14.978 ERROR|security_Sandboxed:0284| Failed sandboxing: ['rialto_update_r', 'rialto_modem_wa', 'pppd', 'update_engine_c', 'rialto_timezone']

alternatively, some of those services prob shouldn't be running as root ;)

I did already look at the existing files for format, but pedns,caps,filter == No,No,No means little to me.

(And yes, I did already mention in #2 that 4 of the 5 processes are planned to be removed or could be made non-root, but getting the release build green again is the priority right now.)

pppd could be running as root on any chrome os device.
Should that go in the base file?

(for future reference - the baseline file suffix is derived from board name so the file needed is baseline.veyron_rialto not baseline.rialto)

pidns == pid namespace is used
caps == capabilities is used
filter == seccomp is used

it's so obvious when you already know ;).  i'll put together some docs.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/eb0052d2cdbe731dbb9ccdb064b17d7602f7d2ca

commit eb0052d2cdbe731dbb9ccdb064b17d7602f7d2ca
Author: Jonathan Dixon <joth@google.com>
Date: Wed Oct 19 17:43:23 2016

security_SandboxedServices: rebaseline rialto root services

BUG= chromium:656878 
TEST=security_SandboxedServices

Change-Id: I6f78ffea6c58154e4ac04b8b746360b3e820d628
Reviewed-on: https://chromium-review.googlesource.com/399895
Commit-Ready: Dan Shi <dshi@google.com>
Tested-by: Jonathan Dixon <joth@chromium.org>
Reviewed-by: Niranjan Kumar <kumarniranjan@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[add] https://crrev.com/eb0052d2cdbe731dbb9ccdb064b17d7602f7d2ca/client/site_tests/security_SandboxedServices/baseline.veyron_rialto

@vapier - I rebaselined Rialto and has fixed it there, but a bunch of other boards have started failing since then.
Back to you to determine next steps

ninja-release
tricky-tot-chrome-pfq-informational
ninja-release
peach_pit

i don't know why those reports are getting lumped in, so let's delete all that noise and close it out

Verified.
https://wmatrix.googleplex.com/platform/unfiltered?hide_missing=True&tests=security_SandboxedServices&releases=tot&platforms=veyron_rialto